VulnerableCode Package Details - pkg:apache/tomcat@8.5.96

Search for packages

Package details: pkg:apache/tomcat@8.5.96

Essentials
History (3)

purl	pkg:apache/tomcat@8.5.96

Next non-vulnerable version	8.5.99
Latest non-vulnerable version	11.0.8
Risk	10.0

Vulnerabilities affecting this package (2)

Vulnerability	Summary	Fixed by
VCID-ah95-hj74-aaaq Aliases: CVE-2017-12617 GHSA-xjgh-84hx-56c5	Unrestricted Upload of File with Dangerous Type When running Apache Tomcat with HTTP PUTs enabled it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.	9.0.1 Affected by 38 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ma76-864y-aaaf Aliases: CVE-2005-4836 GHSA-qrcx-p4rr-g48h	The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information.	There are no reported fixed by versions.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-pcvp-wv2z-aaas	Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.	CVE-2023-46589 GHSA-fccv-jmmp-qg76

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T13:19:21.130757+00:00	Apache Tomcat Importer	Fixing	VCID-pcvp-wv2z-aaas	https://tomcat.apache.org/security-8.html	36.0.0
2024-09-18T08:17:31.732760+00:00	Apache Tomcat Importer	Fixing	VCID-pcvp-wv2z-aaas	https://tomcat.apache.org/security-8.html	34.0.1
2024-01-04T02:15:35.633743+00:00	Apache Tomcat Importer	Fixing	VCID-pcvp-wv2z-aaas	https://tomcat.apache.org/security-8.html	34.0.0rc1